<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">Le 24/10/2022 à 20:41, Clément Hermann
a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:c5c27b0e-148e-4ad5-5163-b71d38f9b16b@debian.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<br>
- <a title="CVE-2022-21694" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-h29c-wcm8-883h/hovercard"
href="https://github.com/advisories/GHSA-h29c-wcm8-883h"
moz-do-not-send="true">CVE-2022-21694</a> affects Bullseye, but
that might be an acceptable risk ? The issue is that CSP can only
be turned on or off, not configured to allow js etc, so it is only
useful for static websites. I believe that's the most common usage
of a website with onionshare, and it's arguably a missing feature
more than a vulnerability <i>per se</i>.<br>
<br>
- <a title="CVE-2022-21689" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-jh82-c5jw-pxpc/hovercard"
href="https://github.com/advisories/GHSA-jh82-c5jw-pxpc"
moz-do-not-send="true">CVE-2022-21689</a> fix should be easy to
backport, at a glance:
<a class="moz-txt-link-freetext"
href="https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377"
moz-do-not-send="true">https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377</a><br>
<br>
- <a title="CVE-2021-41868" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-7g47-xxff-9p85/hovercard"
href="https://github.com/advisories/GHSA-7g47-xxff-9p85"
moz-do-not-send="true">CVE-2021-41868</a> doesn't affect 2.2 I
think, it must have been a mistake from mig5. I just asked for
confirmation. I do hope so since it's a bad one.<br>
</blockquote>
<br>
Sadly, upstream rectified and confirms it affects 2.2 [0], and has
been tested and reproduced on Bullseye. We do need to fix it.
Upstream has a few suggestions, but I guess our choices are either
uploading 2.5 to stable, if that's possible. python-stem at least
will need to be updated as well, from 1.8.0 to 1.8.1 which luckily
is bugfix only.<br>
<br>
<blockquote type="cite"
cite="mid:c5c27b0e-148e-4ad5-5163-b71d38f9b16b@debian.org"> - <a
title="CVE-2022-21690" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-ch22-x2v3-v6vq/hovercard"
href="https://github.com/advisories/GHSA-ch22-x2v3-v6vq"
moz-do-not-send="true">CVE-2022-21690</a> seems like a one-line
patch:
<a class="moz-txt-link-freetext"
href="https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0"
moz-do-not-send="true">https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0</a><br>
<br>
- <a title="CVE-2022-21688" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-x7wr-283h-5h2v/hovercard"
href="https://github.com/advisories/GHSA-x7wr-283h-5h2v"
moz-do-not-send="true">CVE-2022-21688</a> seems like it should
be worked around with the <a title="CVE-2022-21690"
data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-ch22-x2v3-v6vq/hovercard"
href="https://github.com/advisories/GHSA-ch22-x2v3-v6vq"
moz-do-not-send="true">CVE-2022-21690</a> fix (OTF-001)?<br>
<br>
I'd welcome input on those.<br>
<br>
</blockquote>
Of course if we choose to update onionshare to 2.5 in stable, we fix
those as well.<br>
<br>
[0]
<a class="moz-txt-link-freetext" href="https://github.com/onionshare/onionshare/issues/1633#issuecomment-1289735350">https://github.com/onionshare/onionshare/issues/1633#issuecomment-1289735350</a><br>
<br>
Cheers,<br>
<pre class="moz-signature" cols="72">--
nodens</pre>
</body>
</html>